Twitter has admitted to ad-targeting data breaches in regard to user permissions, according to reports.
The company said it found bugs that may have shared user information with advertisers even when users asked it not to do so.
“If you clicked or viewed an advertisement for a mobile application and subsequently interacted with the mobile application since May 2018, we may have shared certain data (e.g., country code, if you engaged with the ad and when, information about the ad, etc.) with trusted measurement and advertising partners, even if you didn’t give us permission to do so,” the company said in a post explaining the issues.
The company also said that in the process of trying to show users better advertising on the platform, it may have shown ads “based on inferences we made about the devices you use, even if you did not give us permission to do so. The data involved stayed within Twitter and did not contain things like passwords, email accounts, etc.”
Twitter said it fixed the issues on Aug. 5, although it didn’t say when it realized the breaches were happening. The data leaks may have been happening since May of last year, which is also when the General Data Protection Regulation (GDPR) in Europe came into effect.
The social media company said it doesn’t share users’ names or other identifying characteristics with ad partners, but it does share what’s called a mobile device identifier, which is considered a unique identifier under GDPR rules. With the mobile identifier, Twitter and advertisers can track people’s internet activity, which allows for ad targeting.
Twitter’s admission of using inferences about interests based on tracking could also be another breach of GDPR, especially if users didn’t consent to being tracked. Most of the tracking is done through cookies, which collects data and leaves a sort of trail that links user history to products.
“What is there for you to do? Aside from checking your settings, we don’t believe there is anything for you to do,” Twitter said. “You trust us to follow your choices and we failed here. We’re sorry this happened, and are taking steps to make sure we don’t make a mistake like this again. If you have any questions, you may contact Twitter’s Office of Data Protection through this form.”